Identity and Card Theft – Shielding Yourself from the Unsafe Small Business

With a constant stream of news of big organizations that have neglected their security, we often forget that the most vulnerable organizations are the small and medium businesses that don’t have the resources to build elaborate security teams. These businesses can have a single iPad, phone or dated register protecting their critical customer data. They aren’t using business class networking equipment and don’t have firewall hardware. And, most importantly, they don’t have processes that protect user data from malicious employees.

The most common places that we encounter these threats are the everyday small to medium transactions. Small grocery and convenience stores, bars, boutique shops and restaurants.

In these everyday payments, all it takes is a malicious employee spending ten seconds writing down your card numbers, or snapping two quick photos of your card to have all of your information.

Here, we discuss the mitigation of the threat of small insecure businesses in your daily life, and how to reduce the harm that a breach at one of these businesses can cause you.

For small daily transactions:

Cash Cash Cash – When you visit high risk small businesses, give them cash. The absolute best defense against theft is to never give them your private data in the first place. It avoids the myriad of risks outright.

Use gift cards that do not require personal information – My personal preference is the Vanilla Visa in the US. You can load the cards with up to $500 and can enter any fictional name, address, and zip when checking out. If one of these gets compromised by your barber, you can simply throw it away and be annoyed.

Use a SEPARATE credit card – If cash or gift cards are not reasonable options for you, using a separate credit card (not your debit card as credit) isolates your risk to a single entity. This works far better than using a basic debit card, because if a credit card is breached, it just temporarily increases your balance while the issuing bank investigates the fraud. With a debit card, this is taking funds directly from your bank account, which can create serious shortfalls in your budget for weeks until you are reimbursed for the theft.

Use credit instead of debit – When running a transaction as debit and entering your PIN, you are foregoing many of the protection features of the card per your user agreement. If you lose your PIN in a data breach it is a lot harder to recover your money.

Do not use your primary email – This avoids the risks of your email leaking to third parties. This can both be through malice, and through business agreements with third parties, such as their payment gateway software. A breach at any party holding this information makes you a target for identity theft. Once an attacker has your email address, they will attempt to phish your sign-in credentials out of you often impersonating the business that they’ve breached. If they can get you to click on a malicious link, or coerce you into revealing information about your secret questions (or just finding those answers through social media) they can gain access to your email and issue password resets on your major accounts. This will have a substantially higher impact on your life than the loss of a single card account for a few weeks while your bank sorts out the fraud. It will span multiple accounts and disrupt your entire life.

For Questionable Online Retailers:

Use cryptocurrency over a VPN if it is an option – This is the best option for protecting an online transaction from a questionable online retailer. Other than the risk of the retailer running off with your transaction money, you have no further risk of the retailer leaking your information or stealing your card data. They only have a cryptocurrency address that they can’t use, they don’t have your IP address, and whatever information you gave them for shipping (see: Get a P.O. box below)

Use gift cards that do not require personal information – This is the best option if cryptocurrency isn’t an option. You do not have to give the site any real customer data. You can use a fictional name, address, and zip and it will be accepted.

Use one-time credit card numbers if your bank provides the service – This service is only provided by some banks, and while it is an improvement over using your regular card because it doesn’t leak reusable transaction information, it still requires you to enter your real name, address, and zip for the temporary card number to function. This is all data that can be leaked by the site and payment processors.

Use credit – avoid using your debit card as credit and NEVER enter a PIN online – Do not use your debit card if you can use anything else. This will limit the damage that a breach can do to you by relegating it to credit only, and in a worse case scenario you have some credit frozen for a time while your bank sorts out the issue. Above all, never enter a PIN online with a debit card. This waives most of your protections and will make it much harder to recover your money.

Do not use your primary email – For all of the reasons stated above. Protecting your email that is connected to your accounts and banking is crucial.

Get a P.O. box – This adds an additional layer of privacy against questionable online businesses. By avoiding entering your personal address it is simply less information that you have to leak. In combination with a VPN and cryptocurrency, the retailer has no information to leak about you.

Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.